The present disclosure generally relates to the field of network authentication. More specifically, the present disclosure relates to a technique of determining a set of authentication protocols for authentication between a terminal and an authentication server of a communication network. A method embodiment includes obtaining information related to at least one of the terminal, an access network via which the terminal is connected to the communication network, and at least one gateway node or intermediate network via which the terminal is connected to the communication network. The method further includes determining, based on the obtained information, from a plurality of authentication protocols available for authentication between the terminal and the authentication server, at least one of a set of authentication protocols to be offered towards the terminal and a set of authentication protocols to be supported by the terminal for authentication between the terminal and the authentication server.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method, in an apparatus having at least one processor, for determining a set of authentication protocols for authentication between a terminal and an authentication server of a communication network, the method comprising the steps of: performing by the at least one processor: obtaining information related to at least one of the terminal, an access network from which the terminal is connected to the communication network, and at least one gateway node or intermediate network from which the terminal is connected to the communication network; comparing the obtained information with one or more predefined conditions related to at least one of an identity of the terminal, a type of the access network and a type of the at least one gateway node or intermediate network by determining whether the obtained information matches one of the one or more predefined conditions; responsive to the obtained information matching one of the one or more predefined conditions, selecting, from a plurality of profiles each comprising at least one set of authentication protocols available for authentication, at least one of a set of authentication protocols to use by the authentication server in authenticating the terminal and a set of authentication protocols supported by the terminal for authentication between the terminal and the authentication server; and responsive to the obtained information matching none of the one or more predefined conditions in the comparison between the obtained information and the one or more predefined conditions: determining a default authentication protocol to use in authentication of the terminal, the default authentication protocol having a lower priority than the plurality of authentication protocols; offering the default authentication protocol towards the terminal for authentication; and responsive to receiving a Negative Acknowledgement (NAK) message in response to offering the default authentication protocol, stop offering authentication protocols towards the terminal for authentication.
2. The method of claim 1 , wherein the steps of obtaining and determining are performed by at least one of the terminal and the authentication server.
3. The method of claim 1 , wherein the step of determining at least one of the set of authentication protocols to use by the authentication server in authenticating the terminal and the set of authentication protocols supported by the terminal for authentication comprises selecting a profile from one or more available profiles based on the obtained information related to at least one of the terminal, the access network and the at least one gateway node or intermediate network, each of the one or more profiles comprising a set of authentication protocols used by the authentication server or supported by the terminal for authentication.
4. The method of claim 1 , wherein the method further comprises: responsive to selecting the at least one of the set of authentication protocols to use, offering one or more authentication protocols contained in the at least one of the set of authentication protocols towards the terminal for authentication.
5. The method of claim 4 , wherein the step of offering comprises offering the one or more authentication protocols contained in the determined set of authentication protocols towards the terminal for authentication in accordance with a predetermined priority.
6. The method of claim 1 , wherein the obtained information related to at least one of the terminal, the access network and the at least one gateway node or intermediate network comprises at least one of information about the identity of the terminal, information about the identity or type of the at least one gateway node, information about the type of the intermediate network, information about the type of the access network, information about the type of the access between the terminal and the access network, information about the address of the terminal, information about a service set provided in the access network, information about access network advertisements provided and information about beacon frame settings provided in the access network.
7. A method, in an apparatus having at least one processor, for determining a set of authentication protocols to use to authenticate a terminal and that is supported by the terminal for authentication between the terminal and an authentication server of a communication network, the method comprising the at least one processor performing the steps of: obtaining information related to the access network from which the terminal is connected to the communication network; determining, based on the obtained information related to the access network, from a plurality of authentication protocols available for authentication between the terminal and the authentication server, a set of authentication protocols supported by the terminal for authentication between the terminal and the authentication server; obtaining information related to at least one of the terminal, the access network, and at least one gateway node or intermediate network from which the terminal is connected to the communication network; comparing the obtained information with one or more predefined conditions related to at least one of an identity of the terminal, a type of the access network and a type of the at least one gateway node or intermediate network by determining whether the obtained information matches one of the one or more predefined conditions; responsive to the obtained information matching one of the one or more predefined conditions, selecting, from a plurality of profiles each comprising at least one set authentication protocols available for authentication, a set of authentication protocols to use by the terminal in authenticating the terminal; and responsive to the obtained information matching none of the one or more predefined conditions in the comparison between the obtained information and the one or more predefined conditions: receiving an offering of the default authentication protocol from the authentication server for authentication, wherein default authentication protocol having a lower priority than the plurality of authentication protocols; and sending a Negative Acknowledgement (NAK) message in response to receiving the offering of the default authentication protocol responsive to the terminal not supporting the default authentication protocol.
8. The method of claim 7 , wherein the method comprises: receiving an offering, by the authentication server, of an authentication protocol contained in the determined set of authentication protocols to use by the authentication server in authenticating the terminal; and determining, by the terminal, whether the offered authentication protocol is contained in the set of authentication protocols supported by the terminal for authentication.
9. The method of claim 8 , wherein, responsive to when it is determined that the offered authentication protocol is contained in the set of authentication protocols supported by the terminal for authentication, the method comprises accepting, by the terminal, the offered authentication protocol.
10. The method of claim 8 , wherein, responsive to when it is determined that the offered authentication protocol is not contained in the set of authentication protocols supported by the terminal for authentication, the method comprises offering, by the authentication server towards the terminal, another authentication protocol contained in the determined set of authentication protocols.
11. The method of claim 1 , wherein at least one of the determined set of authentication protocols to use by the authentication server in authenticating the terminal and the determined set of authentication protocols supported by the terminal is empty or comprises one or more authentication protocols.
12. The method of claim 1 , wherein the plurality of authentication protocols available for authentication comprises Extensible Authentication Protocol, EAP, methods.
13. The method of claim 12 , wherein the plurality of authentication protocols available for authentication comprises at least one of: EAP-Transport Layer Security, EAP-TLS, EAP-message-digest, EAP-MD5, EAP-Protected One-Time Password, EAP-POTP, EAP-Pre-Shared Key, EAP-PSK, EAP-password, EAP-PWD, EAP-Tunneled Transport Layer Security, EAP-TTLS, EAP-Internet Key Exchange protocol version 2, EAP-IKEv2, EAP-Flexible Authentication via Secure Tunneling, EAP-FAST, EAP-Subscriber Identity Module, EAP-SIM, EAP-Authentication and Key Agreement, EAP-AKA, EAP-AKA Prime, EAP-AKA′, EAP-Generic Token Card, EAP-GTC and EAP-Encrypted key exchange, EAP-EKE.
14. A computer program product comprising a non-transitory computer readable storage medium storing program code, which when run on a computer system performs the steps of: obtaining information related to at least one of the terminal, an access network via from which the terminal is connected to the communication network, and at least one gateway node or intermediate network from which the terminal is connected to the communication network; comparing the obtained information with one or more predefined conditions related to at least one of an identity of the terminal, a type of the access network and a type of the at least one gateway node or intermediate network by determining whether the obtained information matches one of the one or more predefined conditions; responsive to the obtained information matching one of the one or more predefined conditions, selecting, from a plurality of profiles each comprising at least one set of authentication protocols available for authentication, at least one of a set of authentication protocols to use by the authentication server in authenticating the terminal and a set of authentication protocols supported by the terminal for authentication between the terminal and the authentication server; and responsive to the obtained information matching none of the one or more predefined conditions in the comparison between the obtained information and the one or more predefined conditions: determining a default authentication protocol to use in authentication of the terminal, the default authentication protocol having a lower priority than the plurality of authentication protocols; offering the default authentication protocol towards the terminal for authentication; and responsive to receiving a Negative Acknowledgement (NAK) message in response to offering the default authentication protocol, stop offering authentication protocols towards the terminal for authentication.
15. An apparatus for determining a set of authentication protocols for authentication between a terminal and an authentication server of a communication network, the entity comprising: an obtaining circuit configured to obtain information related to at least one of the terminal, an access network from which the terminal is connected to the communication network, and at least one gateway node or intermediate network from which the terminal is connected to the communication network; a circuit configured to compare the obtained information with one or more predefined conditions related to at least one of an identity of the terminal, a type of the access network and a type of the at least one gateway node or intermediate node by determining whether the obtained information matches one of the one or more predefined conditions; and a determining circuit configured to: responsive to the obtained information matching one of the one or more predefined conditions, select, from a plurality of profiles each comprising at least one set of authentication protocols available for authentication, at least one of a set of authentication protocols to use by the authentication server in authenticating the terminal and a set of authentication protocols supported by the terminal for authentication between the terminal and the authentication server; and responsive to the obtained information matching none of the one or more predefined conditions in the comparison between the obtained information and the one or more predefined conditions: determine a default authentication protocol for using in the authentication of the terminal, the default authentication protocol having a lower priority than the plurality of authentication protocols; offering the default authentication protocol towards the terminal for authentication; and responsive to receiving a Negative Acknowledgement (NAK) message in response to offering the default authentication protocol, stop offering authentication protocols towards the terminal for authentication.
16. The entity of claim 15 , wherein the apparatus comprises an authentication server.
17. The entity of claim 15 , wherein the apparatus comprises a terminal.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
March 17, 2014
September 24, 2019
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.